Phil Mayers wrote: > Alan - it does look to my untrained eye as if the "client.crt" Makefile > target in /etc/raddb/certs is signing the client key with the server > key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html